Month: February 2018

What is… GDPR? – Sophos News

Welcome to our What is series,where we turn technical jargon into plain English. GDPR is short for General Data Protection Regulation, and it’s the name of a law in the European Union that sets out to protect the rights of individuals in respect of their data. Loosely speaking, any organisation that holds data about any resident of the EU is expected to comply. Whether you’re a family bakery in Estonia that keeps a list of local delivery addresses, or a multinational giant headquartered outside Europe that sells globally online, GDPR applies to you. GDPR was adopted as an EU law in April 2016, but the regulators decided to give us all plenty of time to become compliant, so the law only takes effect in May 2018. That’s just as well, because although it’s officially just “a regulation”, GDPR runs to 11 Chapters, 99 Articles and several hundred pages of legislation. GDPR covers a lot more issues than many people realise. You’ll often hear GDPR mentioned as though it were concerned mainly with mistakes – in other words, that it’s mostly about data breaches and data breach notifications. Only three of the 99 Articles actually deal with breaches, because GDPR is more of a digital privacy lifestyle guide, covering all aspects of personal data and how you use it. Amongst other things, GDPR deals with the data you collect in the first place, how you tell people what you are going to do with it, what you actually do with it, how you store it securely, whom you allow to access it, and – the part that seems to attract the most interest and attention – what happens if you fail to comply. Falling foul of GDPR means the possibility of a fine, and GDPR fines can go significantly higher than most laws that existed around Europe before GDPR came in. At the very worst, GDPR penalties can go up to €20,000,000 or 4% of your global annual turnover, whichever is bigger. Of course, the regulators aren’t compelled to impose penalties that large, and it is reasonable to assume that they won’t blindly plump for the maximum every time, so we shan’t know how big the fines are likely to be until the first few have been handed out. In short: GDPR will standardise data protection across the EU; if you do business in Europe you almost certainly need to comply; the law may seem onerous, but in a world with as many breaches as we have had in recent years, GDPR seems like just the sort of regulation we need; and you can expect to end up in hot water if you don’t comply. Oh, to be clear: GDPR applies in the UK, which is currently part of the EU, and will effectively apply even after the UK leaves the EU, because the government plans to pass a local law that will mirror GDPR. LEARN MORE: LISTEN TO OUR PODCAST. LEARN MORE: TAKE OUR FREE COMPLIANCE TEST..

10 Ways GDPR Will Affect Data Collection and Use In 2018

GDPR is many things, but one thing that’s universal about it is the regulation is all about the data. In this article, I’ll look at 10 areas that touch on the data requirements of GDPR. Consent to process data. Opt out, in most circumstances, won’t cut it with the GDPR. Data choices – what to, and what not to, collectThink about what data you really need to run your business. When you do process the data, especially when sharing data, if you can minimize the data processing, then do so. Moving data between organizations – data portabilityThe GDPR has a number of data rights that allows EU citizens to place some controls over the use of their data. One of these is the ability to request that whoever collected their data can provide them with access to these data and they can share it with another party without your company making it difficult to do so – this is even if they wish to share it with your competitor. Erasing data – right to be forgottenThe right to be forgotten has been a contentious issue in privacy circles for many years and the GDPR has finally added some weight to the argument. This part of the GDPR gives the data subject the right to request that any data you hold on them is ‘erased’ without delay. Accessing dataAccessibility of data is a fundamental part of the GDPR. This subject right is about ensuring the data subject is able to have access to and to find out the whys and wherefores of their collected data. You need to allow the user to access their data and also to let them know the types of processing being carried out and the type of category the data falls into. Restricting data processingThis subject right covers the areas of data processing where disputes and difference of views make come into play. The article representing this right draws heavily upon the basis of consent within the GDPR. Objections to data processingThere is provision within the GDPR to allow a data subject to object to their data being processed. Automation of data processingIf you perform any automated processing of data, for example, you use data to profile your user base, then you will come under the auspice of the GDPR. Article 22 has special provisions for automated processing of an individual’s data. International data transfersThere are provisions in the GDPR to allow for data transfers to non-EU countries or international organizations as long as there are recognized ‘adequate’ frameworks for sensitive data protection. Article 42 of the GDPR encourages the use of certifications to address cross-border transfers of data stating that there is provision for the use of “Data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance”.

According to the company, the latest version is a major update to existing testing APIs and features new capabilities, enhances performance stability, and addresses bugs. It is sunsetting Bot Engine, deprecating Stories UI and releasing a new natural language processing solution. The new solution is designed to find a user’s meaning and information in messages and translate it to its bot. Going forward, the company plans on improving its NLP technologies, make it easier to collaborate with the community, and help other platforms leverage the NLP API. Node-ChakraCore updated. Microsoft announced a new preview release of Node-ChakraCore, based on Node.js 8 and available on Windows, macOS and Linux. Node-ChakraCore is designed to extend the reach of Node.js to Windows 10 IoT Core, according to the company. “From the beginning, it’s been clear that in addition to growing the reach of Node.js ecosystem, there’s a need to address real problems facing developers and the Node.js ecosystem through innovation, openness and community collaboration,” Arunesh Chandra, senior program manager for Chakra, wrote in a post. Updates include: Full cross-platform support, support for Node.js API, Node,js on iOS, and time-travel debugging. MapR and Talend work towards GDPR data lake solution. MapR and Talend announced they are working together on a new solution to help customers address challenges and requirements for the European Union’s General Data Protection Regulation legislation. The offering will give companies the ability to create a governed data lake which meets data storage, inventory, and security requirements of the GDPR. “The path toward GDPR compliance does not have to be complicated, but organizations do need to act now,” said Ciaran Dynes, senior vice president of products for Talend. “Working with MapR, we are helping customers deliver transparency through proper metadata management practices; establish a collaborative approach to data governance; and modernize their data platform to support data lake development that will ensure full compliance with GDPR.”. The combined solution will address compliance challenges related to: Data classification, data capture and integration, data anonymization, self-service data curation and certification, and more. Intel earned $2.8 billion on sales of $14.8 billion, and analysts expect the U.S. chipmaker to report $14.4 billion in quarterly revenue. Patrick Moorhead, principal analyst with Moor Insights & Strategy, said in the AP report that he is not surprised Samsung surpassed Intel, and Intel may be able to catch up when its memory output is at full production capacity in about six months.

Salesforce’s GDPR Commitment: Our Guide for the Path Ahead

The protection of our customers’ data is paramount. The General Data Protection Regulation is a comprehensive European privacy law that takes effect on May 25, 2018. Salesforce welcomes this law as an important step forward in streamlining data protection requirements across the European Union and as an opportunity for Salesforce to deepen our commitment to data protection. We are committed to our customers’ success, including compliance with the GDPR. Similar to existing privacy laws, compliance with the GDPR requires a partnership between Salesforce and our customers in their use of our services. Salesforce will comply with the GDPR in the delivery of our service to our customers. We are also dedicated to helping our customers comply with the GDPR. We have closely analyzed the requirements of the GDPR, and are working to make enhancements to our products, contracts and documentation to support compliance with the GDPR. Preparing our Customers for the GDPR. Today we are announcing several resources to help our customers prepare for the GDPR:. GDPR Resource Website: We have created a GDPR resource website. In the coming weeks we will be releasing several white papers explaining how customers can comply with key GDPR principles in using our services. New Trailhead Module: We have launched a Trailhead module titled “EU Privacy Law Basics,” which provides a detailed overview of the key principles of the GDPR as well as suggested actions for organizations. We hope our customers will take advantage of this free resource and use it to educate their own employees about the GDPR. Contractual Addendum: We are also releasing an updated data processing addendum that contains revised or additional provisions to assist our customers with their compliance with the GDPR. Our Ongoing Commitment to Data Protection. These resources supplement Salesforce’s robust privacy and security program that meets the highest standards in the industry. In October 2015, within hours of the European Court of Justice invalidating the EU-U.S. Safe Harbor program, we offered all of our customers a data processing addendum that allowed them to continue to transfer data to Salesforce without interruption. In November 2015, we became the first top-10 software company to achieve approval for binding corporate rules for processors from European data protection authorities. In August 2016, we became one of the first companies to certify compliance with the EU-U.S. Privacy Shield Framework. Our Trust and Compliance documentation provides more information about our privacy and security certifications and controls. We look forward to working with our customers’ GDPR compliance efforts.

Icertis Introduces GDPR Compliance Application for Contracts

BELLEVUE, WA – November 16, 2017 – Icertis, the leading provider of enterprise contract management in the cloud, today announced the introduction of the ICM GDPR Compliance application, adding to the company’s growing list of business applications built on the Icertis Contract Management platform. The new application delivers a comprehensive solution that ensures contracts between data controllers and data processors meet Europe’s strict new information security guidelines. The new Icertis app provides the fastest path to bringing existing contracts into GDPR compliance, while ensuring long-term adherence to the new regulation. “The only way for enterprises to stay on top of the changing global regulatory landscape is by digitally transforming their contracting foundation,” said Samir Bodas, CEO and Co-founder of Icertis. “GDPR is one of the most far-reaching regulatory changes related to data security in recent times. The ICM platform and ICM GDPR Compliance app help ensure all contracts in an enterprise are GDPR compliant today, and into the future.” For legacy contracts, the app uses AI-enabled smart search to automatically identify contracts that are not GDPR compliant. Once these contracts are identified, the app creates the appropriate Data Protection Addendums and routes them for approval and execution. As new contracts are drafted, the app assesses if they fall under GDPR regulations, and inserts appropriate European Commission-approved data privacy terms and clauses based on predefined rules. Post execution, the app monitors contractual commitments and tracks data processor obligations to ensure the highest level of compliance, enabling data controllers and processors to demonstrate the strength and efficacy of their approach. The app provides the Data Protection Officer with required visibility into GDPR compliance via a DPO Dashboard that monitors non-compliant contracts and data processors across geographies and contract types. The app’s collaboration portal allows data processors to manage their ongoing obligations and work with data controllers on all contracts and addendums. To learn more about the ICM platform and new ICM GDPR Compliance app, visit https://www. Icertis, the leading provider of enterprise contract management in the cloud, solves the hardest contract management problems on the easiest to use platform. Icertis helps enterprises transform their commercial foundation ensuring compliance, improving governance, mitigating risk and enhancing user productivity, thereby improving the bottom line. The Icertis Contract Management platform is used by 1+ million users at enterprises like 3M, Abbvie, Cognizant, Daimler, and Microsoft, to manage 3.5+ million contracts in 40+ languages across 90+ countries.

GDPR and Addressing Data Security Gaps with VMware

What an exciting opening keynote here at VMworld® in Barcelona! You’ve just heard Pat Gelsinger talk about the EU General Data Protection Regulation. The GDPR legally mandates that organizations protect personal data and extends its reach beyond those established in the EU to others beyond its borders. It sounds simple, but in getting “GDPR ready,” businesses are currently reviewing the way they handle and treat personal data, instituting and enforcing adequate business governance, policies and processes to protect that data. Aligning to the regulation requires an intimate and ongoing understanding of privacy laws, business policy, and how to act correctly in the event a problem arises with someone’s data. Technology alone cannot solve the lack of a privacy and data protection governance program. Technology can be leveraged as a tool aiding certain compliance functions or data protection tasks. As your organization evaluates the ways that personal data flows through the different functional groups and systems – such as email marketing, human resources or customer data – IT can determine how the data is secured. Privacy consultants may advise clients to create a current data map for personal data controlled by the business or processed on behalf of others. What data do you have? Where does it go? Where is it stored? Who has access to it? Who is responsible for it? How do you keep it safe? IT can support activities to further prepare for ongoing compliance with the GDPR, and establish the coming process and policy updates by assessing the security of personal data throughout the life of that data from creation to expiration. During this effort, IT can use the awareness gained from GDPR readiness assessments and can act as an enabler for identifying how IT secures all sensitive and confidential data such as intellectual property, financial data or contractual data, refining and modernizing its approach to data security along the way. The model illustrates a possible approach to understanding data and its inherent security requirements – what we in IT call data protection. The intrinsic security capabilities within the VMware portfolio can provide a solid foundation for securing personal data and other sensitive information and may help support business policies which enforce elements of the GDPR. Preparation for the GDPR is a complex, cross-company effort likely requiring outside guidance and definitely requiring the enlistment of your internal subject matter experts. While at times daunting, GDPR readiness projects force us all to take a critical look at what data we hold and how we manage that data and information holistically. By improving our business processes to protect personal data, we protect both our customers’ information and our own.

General Data Protection Regulation: getting GDPR ready by 2018

By 2018 we are expected to have witnessed the first human head transplant, Adobe Flash is predicted to be no more, the UK may or may not have left the EU and the flow of data into organisations will have increased by as much as five-fold, according to IDC. Another significant development due in 2018 is the deadline for meeting new regulations around the treatment of personally identifiable information. When combined with expected volumes in data growth, this could have huge implications for any business which processes personal data. Earlier this year, the European Parliament passed the final vote on its new General Data Protection Regulation, which is designed to protect personal information in an increasingly digital world. Designed to protect personal information in an increasingly digital world, the GDPR is by far the largest shake-up of data protection rules so far this century. The first step in deciding which parts of the new legislation will apply to your organisation is understanding what is meant by personal data. The definition of ‘personal data’ in the context of the new regulation is data relating to a ‘data subject’ who can be directly or indirectly identified on the basis of that data. This means that, under the GDPR, data controllers within organisations should be aware of all personal data under their control and able to demonstrate that they understand the potential risks to information, as well as how to mitigate those risks. As well as ‘personal data’, key terms to understand include ‘territorial scope’, ‘data subject access requests’, ‘data protection impact assessment’, ‘the right to erasure’, ‘data portability’ and ‘consent’. In order to meet your statutory obligations, you first need to know where personal data lives. A detailed analysis of the data stored on corporate systems, employees’ personal devices, offsite archives and filing cabinets, as well as information stored by suppliers, subcontractors and business partners will be required to give you the full picture. Step 4 – Develop a data map and classify every piece of information. Following this analysis, we recommend creating a data map which provides a 360 degree view of all physical and digital information, including personal data, stored across an organisation. The data map is an important tool to ensure that you can quickly locate, assess and monitor all information on an ongoing basis. Organisations across Europe have long been familiar with the need to ensure that they store personal data according to the latest regulatory requirements. The introduction of the GDPR and associated penalties for non-compliance – which could result in fines of up to 4 per cent of annual world group turnover or EUR 20 million – means that it has now become critical to get data retention right.

Are you ready for GDPR compliance?

From May 2018, all organizations that collect, store or process data of EU citizens must comply with the GDPR. Do you know GDPR? Recent research of Smart Business and ZDN.net, shows that 65.5 percent of those questioned had never heard of GDPR and 29.3 percent only know the big picture. These are quite shocking figures given that the deadline of this GDPR compliance is very near. The GDPR aims to protect the EU citizens when it comes to their personal integrity, even when they are staying in China. Today, we live in a digital age where data is extremely valuable and has become an integral part of everyday business. Old data protection legislations are no longer sufficient to protect the consumer’s/patient’s rights. The Requirements of GDPR. The GDPR applies to the complete processing of personal data stored on premise or in the cloud, from collection to deletion. Only 31 percent of organizations discover data breaches themselves. The GDPR requires companies to brief the subjects of such data breaches without undue delay so they can take the necessary precautions. The number of data subjects; the categories and the number of personal data records concerned; the contact details of the Data Protection Officer and the description of the consequences of the data breach, are examples of articles of the GDPR. This legislation also applies to organizations that are based outside of the European Union when they offer services to EU citizens. “As you see, the associated risks are immense. This is precisely why this is a concern of the entire board and management.” says Simen Van der Perre, GDPR Business Developer at SecureLink. “The efforts of the IT department alone are not enough. There has to be a holistic company-wide approach. IT are typically those who know where the data is and how it is processed, but GDPR compliance is a business related risk, affecting management, HR, legal, marketing, finance, etc. Therefore, you have to gain insight into all business data; where it resides, who has access and who is responsible for its integrity. Only then you can get a clear map of the business data landscape and its non-compliant areas.” “It is certainly not our intention to use the GDPR to scare customers into doing or buying things, on the contrary”, says Van der Perre. As a specialized security advisor, SecureLink can clearly demonstrate the importance of compliance and we have the right knowledge to guide you towards a smart and efficient approach. Our focus is on data protection, from a risk-based and technical point of view. We provide multiple solutions that securely process, store and monitor your data as specified in the GDPR..

GDPR for US Companies

The implications of GDPR for US companies who collect, maintain or process personal data of EU citizens will be significant – and compliance is compulsory. The implementation of GDPR will require comprehensive changes to business practices for companies that do not already have a comparable level of data privacy in place. GDPR has a much wider scope than the EU-US Privacy Shield, which only protects the flow of personal data in transatlantic data exchanges. How does GDPR apply for US companies collecting, using or maintaining personal data can be complicated – particularly with regard to EU citizens temporarily resident in the US, or cloud environments based within the EU but logically supported in the US. These questions, and several more, make the issue of GDPR compliance for US companies one business should address quickly. GDPR has been described by some tech industry compliance experts as being the “Privacy equivalent of SOX” – implying how seriously GDPR is for US companies with European customers. The good news is that a recent survey published by PwC points to the fact that many multinational companies are taking GDPR for US companies seriously. Auditing your company data will not be a trivial task, but it will enable you to make many informed decisions on how to comply with GDPR for US companies. The task of auditing your service provider’s data is where a lot of US companies may fall flat and may be where the most significant risk resides in your business. If one of your data service providers is not able to prove that they are on the right side of GDPR compliance for US companies, then the work they do for your EU customer data will be deemed non-compliant. GDPR for US companies also gives EU citizens the right to receive data in a standard format and to have their data transferred to another company at the customer’s request. You will need to understand whether you fall into the category of a data processor or a data controller under the new GDPR guidelines. Both of these types have different implications concerning how they comply with GDPR for US companies, and your company could be both a data controller and data processor at the same time. It is essential US companies carefully select their data processors for the EU market as not all of these service providers will be in compliance with GDPR in time. You will need to review and update the internal processes that you currently have in place at your company to detect, report, and investigate data breaches once they do happen so you can comply with the timeframe and rules handed down by GDPR regulators. While a large part of the GDPR regulation focuses on how companies look after their consumer data, your company will also have to do more than just making sure that your company is compliant with those requirements.

Understanding GDPR and the Arts

In the UK, GDPR will replace the UK’s current data protection regulation, DPA, and although this is an EU regulation, UK organisations will still need to comply. With less than a year to get ready, this post will take a look at what changes you may need to implement to get ready for GDPR. Over the years the amount of data companies and organisations collect from customers and Internet users has become staggering. There are very few services, products or sites that do not collect some amount of data from their visitors. Combine this with the advent of wearable technologies that collect data constantly, and it becomes clear why data protection has become incredibly important to regulators, customers and organisation alike. What is GDPR? GDPR will replace the existing data protection framework under the EU Data Protection Directive, and will apply to all organisations in the UK, Ireland and across the EU. The GDPR emphasises transparency, security and accountability by data controllers, while at the same time standardising, and strengthening the right of European citizens to data privacy. Customers must give explicit consent to data gathering. Data protection authorities will have more robust powers to tackle non-compliance, including significant administrative fining capabilities of up to €20,000,000 for the most serious infringements. It will be considerably easier for individuals to bring private claims against data controllers when their data privacy has been infringed, and allows lawsuits for compensation even in cases of non-material damage. What Do Arts Organisations Need to Do to Comply with GDPR? Build awareness about the change and what GDPR will mean for your organisation, especially the tougher penalties. Make an inventory of the personal data you hold and how it is managed. Individuals have the right to access their data, have inaccuracies corrected, have their information erased and object to direct marketing. What are your procedures for detecting, reporting and investigating a data breech? Who will be responsible? Remember that all breaches must be reported to the DPC or UK equivalent, typically within 72 hours, unless the data was anonymised or encrypted. What information do you give individuals prior to processing data? Remember before gathering data, you need to let people know: the legal basis for processing the data, how long you will retain their data, and their right to complaint. If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not the UK retains the GDPR post-Brexit. In preparation, your organisation should do a data protection audit and develop a plan for change where necessary.

Survey shows confusion around GDPR compliance

GDPR compliance is proving to be an obstacle as the looming deadline throws light on worldwide confusion and lack of preparation. The GDPR deadline set for May 25, 2018 WatchGuard Technologies has shown within their survey that many organisations are ill-fitted due to uncertainty surrounding compliance criteria. A mind-boggling 37 percent are unaware of whether their organisation needs to comply with the data protection requirement according toWatchGuard Technologies, while 28 percent believe they there is no need to comply. UK respondents are better informed, with 25% of ‘don’t knows’ and a mere 13% under the impression that they do not need to comply. The GDPR related survey scrutinised the views of over 1,600 organisations and was carried out by independent market research firm, Vanson Bourne. “Once enforcement for this new legislation begins, companies all over the world will feel its impact. Unfortunately, the data shows that an alarming number of organisations are still unaware or mistaken about the need for GDPR compliance, leaving them three steps behind at this stageIn the Americas, just 16 percent of organisations believe they need to comply. With sensitive customer data and non-compliance fines at stake, every company with access to data from European citizens needs to ensure they truly understand GDPR and its ramifications.” “Penalties for noncompliance are steep and the deadline is just around the corner. Companies stand to lose four percent of their worldwide revenue if they haven’t met all the requirements by next May. The only way to prevent unnecessary fines and frustration is to take a good hard look at the criteria, assemble a GDPR plan of action and begin implementing it immediately.” GDPR criteria states that any company which processes or stores personal information relating to EU citizens must demonstrate their compliance. Of the many respondents who do not believe the law applies to their organisation, one in seven collect their personal data from EU citizens, while 28 percent of respondents are unsure whether or not they collect this variety of information. For businesses that are not yet GDPR compliant, respondents estimate that it will take approximately seven months to complete the requirements – nearly half of those might are reported to potentially seek assistance with compliance from an outside party. Despite time running out, of those who reported that their organisation needs to comply, 86 percent believe they have a robust compliance strategy implemented. 51 percent of those believe that their organisation will need to make major changes to their IT infrastructure in order to comply. Firewalls, VPN and encryption are shown to be the security measures most likely to be involved in compliance strategies.

Amsterdam refuses to publish Whois records as GDPR row escalates

Two Dutch geo-gTLDs are refusing to provide public access to Whois records in what could be a sign of things to come for the whole industry under new European privacy law. ICANN has evidently slapped a breach notice on both registries, which are now complaining that the Whois provisions in their Registry Agreements are “Null and void” under Dutch and European Union law. Under the standard ICANN Registry Agreement, all new gTLDs are obliged to provide public Whois access under section 2.5. Amsterdam, published by ICANN, the two registries have been told they are in breach. A letter from Jetse Sprey of Versteeg Wigman Sprey to ICANN says that the registries are free to ignore section 2.5 of their RAs because it’s not compliant with the Dutch Data Protection Act and, perhaps more significantly, the EU General Data Protection Regulation. The GDPR is perhaps the most pressing issue for ICANN at the moment. It has the potential to completely rewrite the rules of Whois access for the entire industry, sidestepping the almost two decades of largely fruitless ICANN community discussions on the topic. According to Sprey, because the Registry Agreement does not give registrants a way to register a domain without giving their consent to their Whois details being published, it violates the GDPR. Therefore, his clients are allowed to ignore that part of the RA. These two gTLDs are the first I’m aware of to openly challenge ICANN so directly, but GDPR is a fiercely hot topic in the industry right now. During a recent webinar, ICANN CEO Goran Marby expressed frustration that GDPR seems to have come about – under the watch of previous CEOs – without any input from the ICANN community, consideration in the EU legislative process of how it would affect Whois, or even any discussion within ICANN’s own Governmental Advisory Committee. “We are seeing an increasing potential risk that the incoming GDPR regulation will mean a limited WHOIS system,” he said October 4. ICANN has engaged EU legal experts and has reached out to data commissioners in the 28 EU member states for guidance, but Marby pointed out that full clarity on how GDPR affects the domain industry could be years away. ICANN is also engaging with the community in its attempt to figure out what to do about GDPR. One project has seen it attempt to gather Whois use cases from interested parties. The domain industry has accused ICANN the organization of not doing enough fast enough. The simple fact is that the requirements under GDPR and the requirements in our contracts with ICANN to collect, retain, display, and transfer personal data stand in conflict with each other. The GDPR issue is likely to be one of the liveliest sources of discussion at ICANN 60, the public meeting that kicks off in Abu Dhabi this weekend.

Getting Ready for GDPR: Turning the Data Privacy Challenge into Business Value

In today’s data-driven economy, the question on many people’s minds is how to use business data without violating data privacy regulations. Data protection has always been a key component of SAP’s product standards, and we are constantly adapting those standards to reflect the new requirements brought in by GDPR and other data protection regulations around the world. Companies today have massive amounts of data, but often, privacy concerns and the related legislation prevent them from using it. Just imagine what would be possible if you could analyze this data effectively while at the same time still ensuring and protecting privacy. For SAP HANA, our in-memory database and application development platform, we are working on developing a new customizable functionality that will allow customers to both anonymize live data and provide an anonymized view of live data in SAP HANA. Our vision is that companies will be able to protect sensitive data while still gaining valid statistical insights. At the same time, we are exploring a variety of different new data-centric analytic use cases on SAP HANA that will be able to use sensitive data while still complying with all the relevant privacy regulations. The use of this data for the purpose of such evaluations is restricted due to the privacy concerns of drivers and other stakeholders. While there are many benefits to be gained from these types of processing operations, when personal data is involved there are obviously implications for privacy and data protection. Or did you know that you can keep personal data only for a limited period of time due to privacy laws? After that period of time, the personal data must be deleted. Anonymization allows you to continue using the data for further analysis without compromising the privacy of individuals or violating privacy regulations. Data anonymization goes beyond existing security functionality like masking and complements SAP HANA’s comprehensive security capabilities, allowing companies to stay in complete control of their data over the course of their digital transformation journey. Turn the data privacy challenge into an opportunity by exploring new data-centric value-adding scenarios, for example data-as-a-service, without risking compliance. Maximize the value of their data by using state-of-the-art anonymization technology to leverage sensitive or personal data in use cases where this data could not previously be used due to rules and regulations. There is no doubt that new regulations will continue to increase the pressure on businesses to ensure data privacy, and the GDPR is just one example. With security and compliance being part of our core business, and data security and protection part of our DNA, SAP was, is, and remains your reliable partner for all your business challenges – now and in the future.

Rakuten Marketing

The General Data Protection Regulation – GDPR – is the overall regulation on the protection and handling of personal data. If you’re an advertiser, publisher, or other Rakuten Marketing partner dealing with customer data, it is vital for you to have a robust compliance regime in place. What is the GDPR? The GDPR – or General Data Protection Regulation – is the overall regulation on the protection and handling of personal data for the European Union. Data minimisation – No more data can be collected than necessary for its purpose. With the introduction of the GDPR comes changes to the requirements placed on businesses that process data from individuals in the EU. It may not sound exciting but it will have a major and immediate impact on the way some marketing businesses – many of which rely on customer data to deliver personalised experiences, for example – handle data. If you work with us at Rakuten Marketing as an advertiser, publisher, or other type of partner, you’re an important part of the data collection chain and therefore have a responsibility to be GDPR compliant. People have the right to object to their data being processed in certain circumstances, including its use for direct marketing. Particularly likely to have implications for marketing, these rights are designed to safeguard individuals against risks relating to damaging decisions made as a result of automated processing of data. Data may only be transferred if certain criteria are met – for example, the third country or international organisation in question must offer “An adequate” level of data protection. The General Data Protection Regulation – or GDPR – is the overall regulation on the protection and handling of personal data for the European Union coming into force from 25th May 2018. It may not be the most exciting of topics but no one working in digital marketing – or indeed any business that deals with personal data – doubts the importance of the GDPR. It brings changes to existing data protection law, and is designed to strengthen rights and empower individuals by giving them more control over their personal data. These changes to data usage could potentially have a huge impact on businesses and the way they handle their customer data. If you’re an advertiser, publisher or other Rakuten Marketing partner dealing with customer data, it’s very important for you to have a robust compliance regime in place. The General Data Protection Regulation – GDPR – is the overall regulation on the protection and handling of personal data for the European Union coming into force from 25th May 2018. If you’re an advertiser, publisher or other Rakuten Marketing partner that deals with customer data, it’s very important for you to have a robust compliance regime in place, given your position in the data collection chain.

IT News Africa – Africa’s Technology News Leader

Ahead of the pending enforcement of the Protection of Personal Information and General Data Protection Regulation legislations, organisations are hurriedly carrying out compliancy strategies and tightening up their data security processes. GDPR is being put in place to strengthen the protection of the personal information of all European Union citizens, the parameters of which extend to any organisation who conducts business with, or within, the EU, or who holds the data of any EU citizen outside of its borders. Our local variant, PoPI, is coming into effect in order to ensure measures are put in place to hold local organisations, and those doing business with them, accountable for the security and integrity of personal information belonging to any South African citizen. There are overlaps between both legislations and, while compliance with both are being encouraged, it may not necessarily make financial or business sense to do so. Compliance can be an expensive and arduous process, especially if the proper research is not done. The trouble with the former is that compliance can take a long time to accomplish, and businesses may run out of time if the deadline is sooner rather than later. The latter may make sense to some, however once PoPI is in effect, if organisations are caught out for being non-compliant or a data breach occurs, they could be liable for severe fines and even imprisonment. While PoPI compliance is unavoidable for organisations operating within, or from, South Africa, businesses need to weigh the costs and impacts of complying with GDPR unless it is necessary for business perpetuity, both immediate and in the future. What’s the difference?South African organisations who do business solely within our borders and have no plans to expand into European markets within the next two to five years may be best served by putting GDPR compliance on the back burner for the time being. Of course, if South African organisations intend on extending business to European markets in the near future, they will have no recourse but to ensure that they comply with GDPR as well as PoPI. However, this should be done in a logical, step-by-step approach. Although GDPR has a committed enforcement date set for May of next year, PoPI compliance is more critical to sustain local business operations. From a local perspective, organisations should be addressing PoPI first. Organisations should still look at the overlaps and address those for both PoPI and GDPR simultaneously, ticking off the necessary boxes for GDPR as they work through their PoPI compliance. The remaining GDPR requirements can be met as and when the organisations determines to move into EU markets. So where do I start?Above all, organisations need to understand the impact of compliance on their environment to better manage the process, and keep it as simple as possible.

Promontory Financial Group

Do Now: Start the Change Process Become familiar with the GDPR and raise awareness of its significance by: Identifying elements of the GDPR that are most likely to affect your organization, particularly in relation to: business strategy, infrastructure and IT planning, new market ventures, and business-model development Developing a vision of the changed business and preferred outcomes for the organization in the context of the GDPR Communicating key messages about the GDPR with senior internal stakeholders. By Spring 2016: Initiate the Program Set out a GDPR change-program plan by: Obtaining a mandate from decision-makers to establish the change program Establishing the activities needed to achieve the required change, and the resources required. Defining success criteria for the program and activities to be undertaken Formulating a program approach and governance structure. Recognizing the interdependencies between this change and other initiatives underway or planned Understanding the need to manage the change program while maintaining business as usual. Establishing a stakeholder-management plan and engaging key people in the business about the changes required Identify strategic and critical questions for immediate consideration, such as: Location of the organization’s main establishment Appointment of a data protection officer Risk appetite in the context of higher maximum fines Potential impact of the U.K exiting the European Union after a referendum Identify GDPR hot topics in relation to personal-data processing that are critical to your business model, for instance: Lawfulness of processing, in particular the use of consent or legitimate interests Processing of children’s data Processing of special categories of data, or data related to criminal offenses and convictions. Use of automated decision-making, including profiling. Organization as a data controller and/or processor Conditions for transfers of personal data to third countries Data processing for specific situations, such as for journalistic, scientific, or statistical purposes By End of 2016: Mid-Program Checkpoint Establish the state of play of the program by: Assessing progress against program activities and objectives. Informing stakeholders of the conclusion of the change program and the transition to business as usual. Ensure that all GDPR change-management work is documented so that evidence can be provided as required to internal stakeholders, internal audit, and regulators. Assign responsibility for managing and monitoring the application of the GDPR in the organization and continue to examine how the benefits of the new rules and operating model can be best realized. Contact Us. Promontory assists companies throughout the full life cycle of building, managing, and sustaining privacy and data protection governance programs.

Pegasystems Talks GDPR Risks For Corporates

The eyes of the financial services world are on the EU’s upcoming PSD2 regulations, with many jurisdictions watching how the European market evolves and responds to regulations that support data sharing and open banking, while maintaining data security. It’s General Data Protection Regulations, and new research released this week from Pegasystems confirms that awareness of the rules is low. As more regulations in data protection continue to form, businesses are kept on their toes and respond appropriately to consumers’ control and ownership of their own data. According to Pegasystems research, only 21 percent of consumers actually know what GDPR is. While announcing its own survey, Pegasystems also cited research from Gartner that found more than half of businesses affected by GDPR will be non-compliant by the end of 2018. Any company, whether within the EU or not, that interacts with an EU citizen’s data must comply with GDPR rules. Of course, the first risk that comes to mind if a business finds itself non-compliant with GDPR is the threat of a fine. Researchers found that 85 percent of small businesses surveyed would be impacted by GDPR rules in some way, yet 44 percent said they were so far unaware that they would be required to hire a GDPR officer. Under GDPR rules, fines can reach up to 4 percent of annual turnover, or a maximum of about $24 million. Nicholson said that the fines are issued on a sliding scale based on the size of the company, so SMBs are certainly less exposed to GDPR risks than large corporates – but that doesn’t mean SMBs are in the clear. Zurich seemed to disagree, warning that a tenth of SMBs hit with the maximum fine for non-compliance under GDPR would be forced to cease operations. GDPR comes into effect in May, but on top of a lack of awareness about the regulations, Nicholson said that the law is largely one that will be left up to member states’ and corporates’ interpretation of the rules. Lack of awareness and clarity regarding exactly how to interpret GDPR will be a challenge, especially for small businesses that not only store customer data, but that have their own data that may be interpreted as consumer data under the law. That may be all the more reason for companies to listen up and get educated now – because, according to Pegasystems, there are even more implications for companies affected by GDPR. This includes an impact on the customer relationship and customer trust; Pegasystems research found that business behavior such as robo-calls, marketing irrelevant products to customers or even a poor customer interaction could initiate a customer’s request for data. Whether it’s a small business facing potentially crippling non-compliance fines, or a major corporation that’s suddenly faced with data requests from thousands of customers, the business world cannot afford to ignore GDPR..

Data security is being pushed to the top of the agenda by the new General Data Protection Regulation that comes into force next May, and that means a focus on issues that many organisations have neglected. Companies across the globe that process data about European Union individuals will need to take much more stringent security measures to keep that data safe from prying eyes, whether those are criminals or employees. One area of the GDPR that hasn’t got quite as much attention though is continued access to data. Getting to grips with the GDPR. The GDPR is an EU-wide piece of legislation which will creates a revolutionary series of new rights for individuals and will force everyone to think differently about how individuals’ data is treated. A Data Subject – any individual – has the right to much greater control over how their data is used by Data Controllers – people or companies who keep personal information such as sales records – and Data Processors, the people who use the data, such as call centres. One of the responsibilities of both data controllers and data processors is to keep that data safe, and if there is a data breach, organisations can be fined up to 4% of their annual global turnover or €20 million. “The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”. Previous EU regulations gave firms up to seven days to restore data – restoring access to personal data in a “Timely manner” is likely to be interpreted more strictly. Many larger businesses have relied on back-up tapes as a fixed form of storage – sometimes known as “Immutable buckets” of data as they can’t be amended and are separate from the rest of the system. The length of time that tapes require to restore data may be prohibitive, both for the business and its potential reputational damage, and under the new GDPR. Companies like Sungard AS offer online solutions which are much faster and use a Data-Recovery-as-a-Service model which means that data protection and recovery expertise can be brought into focus on the affected system. Since most businesses have multiple systems and data flows, there is seldom any single way of protecting data, which makes a holistic approach vital. Cloud data storage and recovery, using data centres such as Amazon’s AWS service, are now being used by NASA, the United States Air Force and the US Department of Justice, which offers a great vote of confidence in the levels of security for the data. Not having a disaster recovery plan means losing valuable data – and worse. Data is at the heart of most companies’ ability to do business, which means that every minute counts. In 2016, a study by IBM found that a single data breach cost companies in the US around $7million on average, with an over increase in costs amounting to seven percent.

New Data Protection Bill

At the beginning of August, the UK government announced proposals for a new Data Protection Bill. The new law is intended to give individuals greater control over their personal data, especially with regards to the right to be forgotten. It will be easier and free of charge for individuals to request companies to disclose the data it holds on you, and will require your clear and explicit consent for them to continue to contact you, and not just on a generic basis. You will be able to give your consent on a number of options, i.e. they will no longer be able to ask you to tick one generic box giving them permission to ‘keep in touch’, rather, you will be able to opt in, or not, to an entire menu of options, e.g. newsletter, new products, etc. If a company is found to be in breach of the new law, fines will be a lot heftier, with a maximum of £17m or 4% of global turnover. For SMEs, this could be the difference between survival and closure. Digital Minister Matt Hancock said that the new Bill “Will give us one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit. We have some of the best data science in the world and this new law will help it to thrive.” The similarities with GDPR. While the changes in the law for DPB sound all very well, what the government is proposing is virtually identical to the new European GDPR law which will come into effect next May. GDPR will also give us robust and dynamic data laws – and as the new EU rules will come into force before any possible Brexit, the UK will have to be compliant anyway. To be fair, there are two aspects of the DPB which do go further than GDPR. The new UK law will extend the right to be forgotten on social media posts dating from before people were 18, if they request it. It also makes it a criminal offence to alter data records following a Subject Access Request. Everything else, such as the new rules on IP addresses, cookies, DNA etc, is exactly the same as GDPR. Lumina Technologie’s MD Richard McBarnet is simultaneously impressed and unimpressed by the government’s announcement. “I applaud the fact that the government is taking data privacy seriously and embracing GDPR despite Brexit. Overall, GDPR is a positive thing and it is good that the government is at least making its position clear in the muddy waters of Brexit. But the government’s claim that DPB sets the UK apart falls flat when you compare it to GDPR. In fact, I really am struggling to see the differences between DPB and GDPR and it feels a little like the government is trying to take credit for pan-European work that has gone into GDPR.”.

GDPR compliance

One of MSL’s top priorities is the security of clients’ data as well as data provided by individuals to MSL for other business purposes. For us, this goes hand in hand with maintaining compliance with all applicable legislation and regulation governing the processing of that data. You will be aware of the updated data protection law, the General Data Protection Regulation, which comes into force in May 2018. Whilst MSL regrets it cannot give legal advice to its clients, we will share with our clients the challenges of understanding the GDPR and ensuring our compliance over the coming months. MSL has an ongoing GDPR compliance programme in preparation for the new laws and we are monitoring guidance from the UK Information Commissioner’s Office and European authorities as it becomes available. MSL proposes to use this page to post relevant news and updates on GDPR to inform and assist its clients to prepare for GDPR compliance. Following the ICO publication of guidance on these issues in October and November 2017, MSL considers that our revised licence agreements need to accommodate clauses which acknowledge these functions and grant permission to MSL from the data controller to carry out such processing. Proposed Data Retention Policy – we’re grateful for everyone who has commented so far on the proposal and MSL is keen to solicit more feedback before we finalise it. Documentation – for data controllers and data processors. Consultation with Clients on a proposed MSL data retention policy has continued and an outline of the main principles applying to clients’ student data can be reviewed here. Consultation with MSL clients on their requirements for personal data retention, to inform our work on drafting the policy to be introduced in May 2018, is under way. The ICO has published draft guidelines for contracts between data controllers and data processors – read their consultation documents here. MSL has completed the essential legal drafting of new agreements for new clients and a standard contract variation for existing clients to maintain compliance with legislation on data protection through the introduction of GDPR. We are now consulting with our legal advisers and with clients on the introduction of a standard data retention policy for personal information, which will be included with the new agreements. Q What if a student changes their mind about their data sharing – i.e. whether it’s to give or withdraw permission – is there something in place that can switch on or off a student’s data feed from the University without SU staff having to manually do it? A Our forthcoming GDPR compliance contract change will include MSL’s obligation to report a personal data breach without undue delay and in any event within 48 hours, in recognition of the data controller’s obligation to report to the ICO within 72 hours.